Through presentations, demonstrations, and readings, this course will introduce security concepts for use with Amazon Web Services (AWS).
Each week will focus on different aspects of security on AWS. In week one we will review some basic concepts such as "least privilege" and the "shared security model". You will learn about AWS compliance programs, and look at securing AWS accounts using AWS IAM.
In the second week, we will focus on securing your infrastructure. We will look at network isolation and endpoint security. We will then look at detective controls such as Amazon Cloudtrail and AWS Cloudtrail as well as the AWS Security Hub, Amazon GuardDuty and AWS Config.
Week three will focus on data protection. We will look at encryption of data at rest, in motion, and best practices for how to store data within and between various AWS services.
In the final week of the course, we will look at protecting compute resources such as Amazon EC2 and AWS Lambda as well as managing secrets and finish off the course with a look at the AWS Well-Architected Framework.
Class forums will also allow you to ask questions and interact with AWS training instructors.
This course has been developed by AWS, and is delivered by AWS Solutions Architects.

강사:

Rudy Chetty

Hong Pham

스크립트

- [Rudy] Welcome to the video on VPCs, or Virtual Private Cloud. And before you ask yourself what it is, rewind this video. It's literally in the name! But I don't expect you to actually rewind. I mean, what are we in? The 80s? Next thing, you'll be cleaning your VCR and putting on some swanky leg warmers. But, I digress. A VPC, or Virtual Private Cloud, is a way to logically separate your AWS infrastructure from other customers. Think about our bees. We want to create a fort around them, our AWS account, and then go further and isolate them into hives. So if we go into the VPC itself, we want to minimize the risk to our most critical infrastructure. And we can do this with subnets, or a logical subdivision of our IPs. For example, we want our fighter bees, or EC2 instances, to be able to access the internet and be accessed from, so we put them in a public subnet. This is done via NACLs, Not Sonic and NACLs, but network access control lists. These lists contain IPs, which are allowed or denied access to the subnet. They are also stateless, so if you allow something in, you must explicitly allow it out via a rule. Taking our illustration into consideration, you can see we are allowing inbound access on all IPs via the TCP protocol on port 80. And as I mentioned, these rules are stateless, so we need to explicitly add an outbound rule if we want our traffic to be able to return. Now with our queen bee, or RDS cluster, we don't need to allow access via the internet, as it's all handled in the application sitting on our EC2 instance, so we make this a subnet that is private. This means, it's not visible to the internet and our queen is in safer hands behind her private quarters. Now, say you want to go further and protect a single fighter bee, or EC2 instance. You can provision a security group for it. Security groups act as firewalls for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. This fine-grained access is defined by allow rules and looks as follows. In this example, we see that we are allowing SQL traffic to a database server, similar to a NACL. The difference being that security groups are stateful, so return traffic is automatically allowed, regardless of any rules. And, that's it for VPC in this video. Next up, you'll learn about private links.